[Owasp-board] Member Nation Portal

Tobias tobias.gondrom at owasp.org
Mon Dec 16 16:35:42 UTC 2013


Excellent idea.

And @Dave: just in case they have problems with making the security
review "public". IMHO, we would also be fine for some of us to review
the results. We don't necessarily need them to make them "public",
though we would of course appreciate it.

Cheers, Tobias


On 16/12/13 16:20, Jim Manico wrote:
> Many of the Salesforce security features are optional (especially
> around authentication).
>
> An "OWASP audit" will be good to manage our risk and will also be a
> good community exercise. I'd be happy to make a call for an organize
> volunteers for this when the time is ready.
>
> Aloha,
> --
> Jim Manico
> @Manicode
> (808) 652-3805
>
> On Dec 16, 2013, at 8:02 AM, Dave Wichers <dave.wichers at owasp.org
> <mailto:dave.wichers at owasp.org>> wrote:
>
>> All,
>>
>>  
>>
>> At this point we have 4 votes to pass: me, Tom, Seba, Jim
>>
>>  
>>
>> Which is enough to pass. In the interests of giving the team as much
>> time as possible to implement the changes that need to be put in
>> place before the next major conference, we are going to go ahead and
>> put the contract in place.
>>
>>  
>>
>> That said, I'm still going to work with them on their security story
>> to get more information and hopefully also get them to allow us to
>> sponsor an OWASP pen test against their site so we can prove it to
>> ourselves if we want to. They have indicated at a high level they
>> would be amenable to that.
>>
>>  
>>
>> The last feedback we got from them was:
>>
>>  
>>
>> "Naturally we are taking advantage of all the security features
>> Salesforce provides for the portals like authentication and
>> authorization. Additionally MemberNation has successfully passed the
>> arduous Salesforce security review. This is a pretty comprehensive
>> review process that usually takes 6 - 8 weeks.
>>
>>  
>>
>> Of course are always interested in ways to enhance and improve our
>> technology and I would be open to discussing how OWASP could assist."
>>
>>  
>>
>> I have asked them if they can make any of the results of this
>> security review public, and they indicated no one has ever asked for
>> that before... so they are looking in to that.
>>
>>  
>>
>> -Dave
>>
>>  
>>
>> *From:*owasp-board-bounces at lists.owasp.org
>> <mailto:owasp-board-bounces at lists.owasp.org>
>> [mailto:owasp-board-bounces at lists.owasp.org] *On Behalf Of *Eoin Keary
>> *Sent:* Sunday, December 15, 2013 8:19 AM
>> *To:* Tom Brennan - OWASP
>> *Cc:* OWASP Foundation Board List
>> *Subject:* Re: [Owasp-board] Member Nation Portal
>>
>>  
>>
>> If security checks out I am happy with voting yes.
>>
>> If suited we can onboard the portal with edgescan and perform monthly
>> assessments?
>>
>>  
>>
>>
>>
>> Eoin Keary
>>
>> Owasp Global Board
>>
>> +353 87 977 2988
>>
>>  
>>
>>
>> On 15 Dec 2013, at 00:12, Tom Brennan - OWASP <tomb at owasp.org
>> <mailto:tomb at owasp.org>> wrote:
>>
>>     https://code.google.com/p/force-dot-com-esapi/
>>
>>
>>
>>
>>     On Dec 14, 2013, at 3:55 PM, Jim Manico <jim.manico at owasp.org
>>     <mailto:jim.manico at owasp.org>> wrote:
>>
>>         Can we do a third party audit of this "custom salesforce
>>         module"? I am certain we can rally a few volunteers to do
>>         this for free.
>>
>>          
>>
>>         Aloha,
>>
>>         --
>>
>>         Jim Manico
>>
>>         @Manicode
>>
>>         (808) 652-3805
>>
>>
>>         On Dec 14, 2013, at 11:49 AM, Dave Wichers
>>         <dave.wichers at owasp.org <mailto:dave.wichers at owasp.org>> wrote:
>>
>>             I just learned from the vendor that:
>>
>>              
>>
>>             100% of our application (back end and portals) are built
>>             on Salesforce who guarantees their security and
>>             reliability (www.trust.salesforce.com
>>             <http://www.trust.salesforce.com>).
>>
>>              
>>
>>             Now I don't know if that means they can't introduce an
>>             XSS into their portal that is exposed by Salesforce to
>>             the world, for example, but I suspect it makes it less
>>             likely. And we already trust Salesforce today, so at this
>>             point I would certainly think it's 'good enough'.
>>
>>              
>>
>>             -Dave
>>
>>              
>>
>>              
>>
>>             *From:*Eoin Keary [mailto:eoin.keary at owasp.org]
>>             *Sent:* Saturday, December 14, 2013 1:06 PM
>>             *To:* Dave Wichers
>>             *Cc:* Sarah Baso; OWASP Foundation Board List
>>             *Subject:* Re: [Owasp-board] Member Nation Portal
>>
>>              
>>
>>             Ta Dave.
>>
>>             So can we answer the sec question??
>>
>>             Eoin Keary
>>
>>             Owasp Global Board
>>
>>             +353 87 977 2988
>>
>>              
>>
>>
>>             On 14 Dec 2013, at 17:55, "Dave Wichers"
>>             <dave.wichers at owasp.org <mailto:dave.wichers at owasp.org>>
>>             wrote:
>>
>>                 I forgot to ask Fonteva (the vendor) about the
>>                 security question (shame on me). Sarah -- can you ask
>>                 them about that or have you already? Hope so....
>>
>>                  
>>
>>                 All our users will be going through Salesforce to
>>                 access to data they provide. They don't access
>>                 Fonteva (Member Nation is the name of their service)
>>                 directly. So most of the security is provided by
>>                 Salesforce, not Fonteva, which is a significant
>>                 mitigating factor. Like all
>>                 authentication/authorization is from Salesforce for
>>                 example.
>>
>>                  
>>
>>                 The cost savings are clearly spelled out in the
>>                 referenced doc Sarah forwarded the link to, and they
>>                 are substantial:
>>
>>                 Year 1
>>
>>                 	
>>
>>                 $35,000
>>
>>                 ($20k Cvent, $7k regonline, $1k forms & surveys, $7k
>>                 CFP, CFT & scheduling software)
>>
>>                 	
>>
>>                 $56789
>>
>>                 	
>>
>>                 +$21,789 year 1 added cost
>>
>>                 Year 2
>>
>>                 	
>>
>>                 $35,000
>>
>>                 	
>>
>>                 $11,100
>>
>>                 	
>>
>>                 $23,900 (annual savings)/ +  $2,111(total savings
>>                 recognized)
>>
>>                 Year 3
>>
>>                 	
>>
>>                 $35,000
>>
>>                 	
>>
>>                 $11,100
>>
>>                 	
>>
>>                 $23,900 (annual savings)/ $26,011 (total savings
>>                 recognized)
>>
>>                 Year 4
>>
>>                 	
>>
>>                 $35,000
>>
>>                 	
>>
>>                 $11,100
>>
>>                 	
>>
>>                 $23,900 (annual savings)/ $49,911 (total savings
>>                 recognized)
>>
>>                 Year 5
>>
>>                 	
>>
>>                 $35,000
>>
>>                 	
>>
>>                 $11,100
>>
>>                 	
>>
>>                 $23,900 (annual savings)/$73,811 (total savings
>>                 recognized)
>>
>>                  
>>
>>                 I'm not worried about Fonteva going out of business.
>>                 We've never pushed on that point with any of our
>>                 previous providers. They are a Salesforce partner,
>>                 and Salesforce wouldn't enter into an arrangement
>>                 with them if they were seriously worried about that.
>>                 Go read: http://www.fonteva.com/company/about/.  
>>                 They have 4000 customers already. So they are a
>>                 pretty big outfit.
>>
>>                                                                                     
>>
>>
>>                 -Dave
>>
>>                  
>>
>>                  
>>
>>                 *From:*owasp-board-bounces at lists.owasp.org
>>                 <mailto:owasp-board-bounces at lists.owasp.org>
>>                 [mailto:owasp-board-bounces at lists.owasp.org] *On
>>                 Behalf Of *Eoin Keary
>>                 *Sent:* Saturday, December 14, 2013 4:43 AM
>>                 *To:* Sarah Baso
>>                 *Cc:* OWASP Foundation Board List
>>                 *Subject:* Re: [Owasp-board] Member Nation Portal
>>
>>                  
>>
>>                 Hey,
>>
>>                 before i vote i need to understand.
>>
>>                  
>>
>>                 Have they had a penetration test/Code review/ SDLC
>>                 security etc etc.
>>
>>                 Any evidence of security on the SaaS?
>>
>>                 Would be rather ironic if they were hacked an our
>>                 data was pasted all over the web?
>>
>>                  
>>
>>                 What are the tangible savings how much projected per
>>                 year/ 3years?
>>
>>                  
>>
>>                 If the company collapses what happens our data? 
>>
>>                  
>>
>>                  
>>
>>
>>
>>                 Eoin Keary
>>
>>                 Owasp Global Board
>>
>>                 +353 87 977 2988
>>
>>                  
>>
>>
>>                 On 13 Dec 2013, at 17:53, Sarah Baso
>>                 <sarah.baso at owasp.org <mailto:sarah.baso at owasp.org>>
>>                 wrote:
>>
>>                     All -
>>
>>                      
>>
>>                     Dave, Kate, and I had a call with our rep at
>>                     Member Nation today and I also have spent a bit
>>                     of time on the financials. I have updated the
>>                     proposal
>>                     here: https://docs.google.com/a/owasp.org/document/d/1yDTFCdmmZN3t732sqHTOFHMhQrXgUC46YbgDhGROcXM/edit
>>
>>                      
>>
>>                     Here are the key points of new information
>>
>>                       * The cost of all the systems that the new
>>                         Member Nation Portal will be able to replace
>>                         for us starting in 2014, is $35,000/year.
>>                          Note that some of those systems/costs are
>>                         based on actual registrations so I have used
>>                         past numbers and current projections to put
>>                         together an estimate.  
>>                       * This "cost" does not include the staff
>>                         time/costs in managing multiple registration
>>                         systems, running ineffective reports, and
>>                         other operational overhead.  I expect that
>>                         this new system will be much better for our
>>                         data management and staff time in managing
>>                         (not to mention the benefits for the community).
>>                       * The first year costs at the point are
>>                         estimates ($45,000) and we are hoping to get
>>                         that number down by handling some of our own
>>                         data migration and customization.
>>                       * On our call this morning, we learned that
>>                         Salesforce has adjusted some of its pricing
>>                         (and minimums), which will save us an
>>                         additional $2600 on our annual fees (reducing
>>                         them to $11,100)
>>                       * *We should be able to break even with costs
>>                         after 2 years and recognizing $26,000 in
>>                         savings in year 3.*
>>
>>                      
>>
>>                     Here are some answers to the other questions in
>>                     this thread:
>>
>>                      
>>
>>                     *Internationalization*
>>
>>                       * Yes supports internationalization - currency
>>                         is based on merchant accounts and we will be
>>                         able to accept payments in other currencies
>>                         (which will settle into whatever accounts we
>>                         have set up).
>>                       * Languages - Salesforce translates into the
>>                         following languages (built in): English,
>>                         French, German, Italian, Japanese, Spanish,
>>                         Swedish, Korean, Simplified Chinese,
>>                         Traditional Chinese, and Thai
>>
>>                      
>>
>>                     *Handling payments*
>>
>>                       * Payments will be handled through our same
>>                         payment processors* *- chase payment tech and
>>                         payflow pro. Member Nation itself is not
>>                         accepting the money.
>>
>>                      
>>
>>                     *Protection of data *
>>
>>                       * Data is held by Salesforce, I don't foresee
>>                         issues with this.
>>
>>                      
>>
>>                     *Because time is of the essence in making a
>>                     decision on this and going forward with the
>>                     contract (we need to have a full 3 months to
>>                     implement and roll out, and need to plan for
>>                     event registrations in 2014 as well as
>>                     memberships with the new membership model) - I am
>>                     adding this for a vote on Monday's board meeting.
>>                      This is included in the budget, but even if the
>>                     budget isn't finalized Monday it is critical for
>>                     the operations team to have a decision on this.*
>>
>>                      
>>
>>                     *Sarah*
>>
>>                      
>>
>>                      
>>
>>                      
>>
>>                     On Thu, Dec 5, 2013 at 5:50 AM, Fabio Cerullo
>>                     <fcerullo at owasp.org <mailto:fcerullo at owasp.org>>
>>                     wrote:
>>
>>                     Sarah,
>>
>>                      
>>
>>                     I've checked the tool and indeed looks
>>                     impressive. There are a few questions that will
>>                     appreciate your clarification:
>>
>>                      
>>
>>                     - Does the platform support internationalisation?
>>                     Eg. Would members in Asia/Latin America be able
>>                     to use it?
>>
>>                      
>>
>>                     - Does it handle payments for conferences,
>>                     memberships, etc? If so, is it PCI-DSS certified
>>                     to accept payments? 
>>
>>                      
>>
>>                     - Eoin's point about escrow... would it be
>>                     possible to pay in monthly installments? This
>>                     could limit our liability if they go busted.
>>
>>                      
>>
>>                     - Regarding the protection of our data... do they
>>                     have an certications such as ISO27001/SAS70?
>>
>>                      
>>
>>                     Thanks,
>>                     Fabio
>>
>>                      
>>
>>                     On Thu, Dec 5, 2013 at 9:47 AM, Eoin
>>                     <eoin.keary at owasp.org
>>                     <mailto:eoin.keary at owasp.org>> wrote:
>>
>>                     If there is no escrow...
>>
>>                     Lets say we spend 40K and the service is
>>                     terminated / company folds etc etc do we have any
>>                     protection?
>>
>>                     Does the system have adequate protection of our
>>                     data also? Security of our data?
>>                     SLA/availability, access to our data if they
>>                     company folds.
>>
>>                     These are common questions when outsourcing
>>                     services to SaaS and COTS solutions.
>>
>>                      
>>
>>                     Eoin
>>
>>                      
>>
>>                      
>>
>>                      
>>
>>                     On 5 December 2013 05:11, Seba <seba at owasp.org
>>                     <mailto:seba at owasp.org>> wrote:
>>
>>                     Hi
>>
>>                     Kate showed me this in New York, and it seems a
>>                     really good fit for owasp. I fully support this
>>                     proposal.
>>
>>                     Regards
>>                     Seba
>>
>>                     On 04 Dec 2013 22:00, "Sarah Baso"
>>                     <sarah.baso at owasp.org
>>                     <mailto:sarah.baso at owasp.org>> wrote:
>>
>>                         Board members -
>>
>>                         This came up briefly on Monday's budget call,
>>                         but I wanted to provide some additional
>>                         operational details on the portal that the
>>                         staff would like to transition to in 2014.  
>>
>>                         Details are available here: 
>>
>>                         https://docs.google.com/a/owasp.org/document/d/1yDTFCdmmZN3t732sqHTOFHMhQrXgUC46YbgDhGROcXM/edit
>>
>>                         Additionally -  here is a short video demo
>>                         put together by another organization about
>>                         the
>>                         portal: http://www.youtube.com/watch?v=g7s5j-i9BUU
>>
>>                         Info about Member Nation by
>>                         Fonteva: http://www.fonteva.com/products/membernation/
>>
>>                         *Operational Notes:*
>>
>>                         ·         The transition to Member Nation is
>>                         MUCH MORE than a new system for membership
>>                         and event registration, it is a community
>>                         management platform that will give us tools
>>                         to assist with volunteer management and
>>                         recognition and a place for dynamic update of
>>                         project and chapter related data so we can
>>                         gather metrics and run reports.  It will also
>>                         be a one stop shop for community members to
>>                         manage all their information membership,
>>                         event, chapters, projects, volunteer and
>>                         other ways they interact with OWASP.  
>>
>>                         ·         The critical points are that in
>>                         order to implement as smooth a transition as
>>                         possible, we would like to have a 3 month
>>                         roll out plan (starting no later than January
>>                         1) to be completed by end of Q1 when our 2
>>                         year contract with cvent expires.
>>                          Additionally, I know there were some points
>>                         of frustration and lack of communication in
>>                         the move from Regonline to Cvent a couple
>>                         year ago, so the more time we have to plan
>>                         and work on the roll out plan, the better.
>>
>>                         ·         The OWASP Staff will manage the set
>>                         up of events and other administration of the
>>                         portal - and will receive training as part of
>>                         our set up costs. The portal does support
>>                         various access controls and "roles" for
>>                         members of the community (i.e. chapter
>>                         leader, project leader, event planner). 
>>
>>                         *Financial*
>>
>>                          
>>
>>                         There will be a one time set up cost of
>>                         $45,689 and an ongoing annual portal user fee
>>                         of $13,500 - so a total of $59,189 for the
>>                         first year. This $13,5000 will significantly
>>                         reduce our annual costs for other
>>                         registration and membership systems
>>                         (estimated at $24856). And enable us to
>>                         dramatically decrease our fees over the next
>>                         several years. 
>>
>>
>>
>>                         Please let me know any additional questions
>>                         you have.
>>
>>
>>
>>                         Regards,
>>
>>                         Sarah Baso
>>
>>                          
>>
>>                         -- 
>>
>>                         Executive Director
>>
>>                         OWASP Foundation
>>
>>                          
>>
>>                         sarah.baso at owasp.org
>>                         <mailto:sarah.baso at owasp.org>
>>                         +1.312.869.2779 <tel:%2B1.312.869.2779>
>>
>>
>>
>>                          
>>
>>                         _______________________________________________
>>                         Owasp-board mailing list
>>                         Owasp-board at lists.owasp.org
>>                         <mailto:Owasp-board at lists.owasp.org>
>>                         https://lists.owasp.org/mailman/listinfo/owasp-board
>>
>>
>>                     _______________________________________________
>>                     Owasp-board mailing list
>>                     Owasp-board at lists.owasp.org
>>                     <mailto:Owasp-board at lists.owasp.org>
>>                     https://lists.owasp.org/mailman/listinfo/owasp-board
>>
>>
>>
>>                     -- 
>>                     Eoin Keary
>>                     OWASP Member
>>                     https://twitter.com/EoinKeary
>>
>>                      
>>
>>
>>                     _______________________________________________
>>                     Owasp-board mailing list
>>                     Owasp-board at lists.owasp.org
>>                     <mailto:Owasp-board at lists.owasp.org>
>>                     https://lists.owasp.org/mailman/listinfo/owasp-board
>>
>>                      
>>
>>
>>                     _______________________________________________
>>                     Owasp-board mailing list
>>                     Owasp-board at lists.owasp.org
>>                     <mailto:Owasp-board at lists.owasp.org>
>>                     https://lists.owasp.org/mailman/listinfo/owasp-board
>>
>>
>>
>>                      
>>
>>                     -- 
>>
>>                     Executive Director
>>
>>                     OWASP Foundation
>>
>>                      
>>
>>                     sarah.baso at owasp.org <mailto:sarah.baso at owasp.org>
>>                     +1.312.869.2779
>>
>>
>>
>>                     _______________________________________________
>>                     Owasp-board mailing list
>>                     Owasp-board at lists.owasp.org
>>                     <mailto:Owasp-board at lists.owasp.org>
>>                     https://lists.owasp.org/mailman/listinfo/owasp-board
>>
>>             _______________________________________________
>>             Owasp-board mailing list
>>             Owasp-board at lists.owasp.org
>>             <mailto:Owasp-board at lists.owasp.org>
>>             https://lists.owasp.org/mailman/listinfo/owasp-board
>>
>>         _______________________________________________
>>         Owasp-board mailing list
>>         Owasp-board at lists.owasp.org <mailto:Owasp-board at lists.owasp.org>
>>         https://lists.owasp.org/mailman/listinfo/owasp-board
>>
>>     _______________________________________________
>>     Owasp-board mailing list
>>     Owasp-board at lists.owasp.org <mailto:Owasp-board at lists.owasp.org>
>>     https://lists.owasp.org/mailman/listinfo/owasp-board
>>
>> _______________________________________________
>> Owasp-board mailing list
>> Owasp-board at lists.owasp.org <mailto:Owasp-board at lists.owasp.org>
>> https://lists.owasp.org/mailman/listinfo/owasp-board
>
>
> _______________________________________________
> Owasp-board mailing list
> Owasp-board at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-board

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20131216/eb3b7c8e/attachment-0001.html>


More information about the Owasp-board mailing list